^tDsrx
i o %
I® I
v pro^&


-------
Report Contributors:
Rudolph M. Brevard
Vincent Campbell
Nancy Dao
Kevin Gray
Eric Jackson Jr.
Nii-Lantei Lamptey
Alonzo Munyeneh
Gina Ross
Scott Sammons
Abbreviations
CIO
Chief Information Officer
COR
Contracting Officer's Representative
EPA
U.S. Environmental Protection Agency
EPAAG
Environmental Protection Agency Acquisition Guide
FY
Fiscal Year
ISO
Information Security Officer
IT
Information Technology
OIG
Office of Inspector General
RBT
Role-Based Training
Cover Image: Only 33 percent (seven of 21) of EPA offices submitted a complete response by
September 30, 2018, certifying that contractors completed the required RBT.
(EPA OIG image)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions

-------
x-^tD sT/\f.
*. U.S. Environmental Protection Agency	20-P-0007
£ KM ro	October 21,2019
.	u.o. ciiviiuMiiiciiidi nuietu
	 \ Office of Inspector General
® I
At a Glance
Why We Did This Project
The Office of Inspector
General (OIG) for the
U.S. Environmental Protection
Agency (EPA) conducted this
follow-up audit to determine
whether the EPA completed
actions for Recommendation 3
in prior OIG Report
No. 17-P-0344. The
recommendation required the
EPA to maintain a list of
contractors required to take
role-based training (RBT) and
validate that all contractors
have completed RBT. We
further sought to determine
(1) whether EPA offices' fiscal
year 2018 certifications were
accurate and (2) what additional
steps are needed to verify
contractors' completion of RBT.
RBT is continuous education
that improves current
knowledge, skills and abilities
for a particular job function.
This report addresses the
following:
• Operating efficiently and
effectively.
Management Alert: EPA Still Unable to Validate
that Contractors Received Role-Based Training
for Information Security Protection
What We Found
The EPA continues to lack information to monitor
compliance with the following RBT requirements:
•	Confirming that contractor personnel completed
the required RBT.
•	Including RBT provisions in existing information
technology services contracts.
•	Maintaining a list of contractor personnel required
to complete RBT.
These weaknesses occurred because:
The EPA has limited
assurance that
contractor personnel
are maintaining skills
needed to combat
efforts to destroy,
steal or hold for
ransom the EPA's
systems and sensitive
information.
•	Most EPA offices did not validate that all contractors completed the
required RBT.
•	EPA Contracting Officer's Representatives were unfamiliar with RBT
requirements.
•	The EPA's directives did not explicitly designate who is responsible for
maintaining a list of contractors required to complete RBT.
As a result, only seven of 21 (33 percent) EPA offices submitted a complete
response by September 30, 2018, to the EPA's Chief Information Security Officer
certifying that contractors completed the required RBT. We are issuing this
management alert on these weaknesses because immediate improvements are
needed to verify that contractors are trained in their roles to protect agency
systems and data.
Recommendations and Planned Agency Corrective Actions
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
We recommend the Assistant Administrator for Mission Support (1) validate that all
EPA offices submit the annual RBT certifications, (2) train EPA Contracting
Officer's Representatives on mandatory RBT requirements, (3) implement a plan
to identify which existing information technology services contracts should
include RBT requirements, and (4) require EPA offices to maintain a list of
contractor personnel required to complete RBT. The EPA completed corrective
actions for Recommendations 1 and 4. The agency agreed to
Recommendations 2 and 3 but has not provided corrective actions or milestone
dates. Recommendations 2 and 3 are therefore unresolved.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
October 21, 2019
MEMORANDUM
SUBJECT: Management Alert: EPA Still Unable to Validate that Contractors Received
Role-Based Training for Information Security Protection
Report No. 20-P-0007
FROM: Charles J. Sheehan, Acting Inspector General
TO:
Donna Vizian, Principal Deputy Assistant Administrator
Office of Mission Support
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). The project number for this audit was
OA&E-FY19-0103. This report contains findings that describe the problems the OIG has identified and
corrective actions the OIG recommends. This report represents the opinion of the OIG and does not
necessarily represent the final EPA position. Final determinations on matters in this report will be made
by EPA managers in accordance with established audit resolution procedures.
We issued a discussion document presenting our audit results to the EPA on June 3, 2019, for its
review. In addition, we met with the EPA on July 8, 2019, to discuss our audit results. The EPA did
not provide a formal written response to the discussion document. However, we summarized
management's verbal response to the report's findings and recommendations. The EPA concurred with
our audit results and with issuing this management alert as a final report on an expedited schedule.
Within the Office of Mission Support, the Office of Information Security and Privacy and the Office of
Acquisition Solutions are responsible for the issues discussed in this report.
The Office of Mission Support provided acceptable evidence to support that corrective actions were
completed in response to Recommendations 1 and 4, and no further response is required for these
recommendations.
Action Required
The Office of Mission Support did not provide planned corrective actions or milestone dates for
Recommendations 2 and 3. Therefore, Recommendations 2 and 3 are unresolved. In accordance with
EPA Manual 2750, you are required to provide a written response for these recommendations within
60 calendar days. You should include planned corrective actions and completion dates for all
recommendations that need additional information for resolution. Your response will be posted on the
OIG's website, along with our memorandum commenting on your response. Your response should be

-------
provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the
Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want
to be released to the public; if your response contains such data, you should identify the data for
redaction or removal along with corresponding justification.
We will post this report to our website at www.epa.gov/oig.

-------
Management Alert: EPA Still Unable to Validate
that Contractors Received Role-Based Training
for Information Security Protection
20-P-0007
Table of C
Purpose		1
Background		1
Responsible Offices		3
Scope and Methodology		3
Prior Audit Work		4
Results		4
Conclusion		8
Recommendations		8
Agency Response and OIG Evaluation		8
Status of Recommendations and Potential Monetary Benefits		10
Appendices
A Status of Corrective Actions on Prior OIG Report Recommendations	 11
B Distribution	 12

-------
Purpose
The Office of Inspector General (OIG) of the U.S. Environmental Protection
Agency (EPA) conducted this follow-up audit to determine whether the EPA
completed corrective actions for Recommendation 3 in EPA OIG Report
No. 17-P-0344, EPA Lacks Processes to Validate Whether Contractors Receive
Specialized Role-Based Training for Network and
Data Protection, issued July 31, 2017.
Recommendation 3 required the EPA to implement a
process to require agency personnel to maintain a list
of contractors who have significant information
security responsibilities and are required to take role-
based training (RBT). Additionally, the
recommendation required agency personnel to
validate and report to the EPA's Chief Information Security Officer (ISO) that all
contractors have completed required RBT. We also sought to determine:
•	Whether fiscal year (FY) 2018 certifications provided to the EPA's Chief
ISO were complete, accurate and supported by records maintained by the
respective EPA offices.
•	What additional steps the EPA needs to take to verify that agency
contractors complete the required, specialized RBT.
Background
As of September 30, 2018, the EPA planned to spend $209.6 million for
information technology (IT) services contracts. These contracts provide IT
operations and maintenance support services for the EPA's program and regional
offices (Table 1).
Table 1: EPA program offices and regions
11 program offices
10 regions (location)
Office of Air and Radiation
Region 1 (Boston)
Office of Chemical Safety and Pollution Prevention
Region 2 (New York)
Office of the Chief Financial Officer
Region 3 (Philadelphia)
Office of Enforcement and Compliance Assurance
Region 4 (Atlanta)
Office of General Counsel
Region 5 (Chicago)
Office of Inspector General
Region 6 (Dallas)
Office of International and Tribal Affairs
Region 7 (Kansas City)
Office of Land and Emergency Management
Region 8 (Denver)
Office of Mission Support
Region 9 (San Francisco)
Office of Research and Development
Region 10 (Seattle)
Office of Water

Source: EPA website.
RBT is role-specific
training for an individual
based on the person's
functional job and
responsibilities; through
continuous education, the
person's knowledge, skills
and abilities are enhanced.
20-P-0007
1

-------
The contracted IT support functions include network infrastructure, database
administration, computer/network system security, application development and
website management. System administrators, network administrators and system
architects are examples of roles that EPA contractors perform that have
significant information security responsibilities. These roles allow the contractor
to update information security controls to protect EPA systems and data from
fraud, waste and abuse. As such, these contractors must complete specialized
RBT as required by information security directives.
The EPA Chief Information Officer's (CIO's) Information Directive
No. CIO 2150.4, Information Security Policy, approved December 28, 2016, says
that the EPA Information Security Program shall include "[mjandatory role-based
information security training for personnel designated as having significant
information security responsibilities to carry out their information security
responsibilities." Similarly, the EPA's Information Directive
No. CIO 2150-P-02.2, Information Security - Awareness and Training
Procedures, approved February 16, 2016, requires that the EPA must "[djevelop
and maintain role based training, education and credentialing requirements to
ensure EPA employees and contractors designated as having significant
information security responsibilities receive adequate training with respect to such
responsibilities." CIO 2150-P-02.2 also requires adherence to the National
Institute of Standards and Technology Special Publication 800-53 Revision 4,
Security and Privacy Controls for Federal Information Systems and
Organizations, which establishes procedures and guidelines for RBT.
The EPA also took steps to require program and regional offices to include these
training requirements in new contractual agreements. In December 2016, the EPA
issued Interim Policy Notice 17-01, Use of 22 Cybersecurity Tasks. This notice
directed the Office of Environmental Information (now part of the Office of Mission
Support), as the agency's cybersecurity technical experts, to (1) identify
cybersecurity tasks, to include RBT for contractors, as necessary in both new
contracts and new work starting under existing contracts and (2) coordinate with the
EPA's acquisition management office to modify or amend solicitations and contracts
to include cybersecurity tasks.
In April 2018, Environmental Protection Agency Acquisition Guide (EPAAG),
subsection 39.1.2, "Cybersecurity Tasks," was issued to finalize Interim Policy
Notice 17-01. EPAAG 39.1.2 provides that Contracting Officer's Representatives
(CORs) should work with the Office of Environmental Information to determine
whether any cybersecurity tasks must be "added or included" to the COR's
contractual documents.
Further, on August 15, 2018, the EPA issued a memorandum, Certification of
Information Security Role-Based Training for Contractor Staff, that requires all
Senior Information Officials to provide written certification—to be submitted to
20-P-0007
2

-------
the agency's Chief ISO by September 30 of each year—that EPA contractors with
information security duties have completed the necessary RBT specific to their
contract roles.
Responsible Offices
Within the EPA's Office of Mission Support, the Office of Acquisition
Solutions is responsible for planning, awarding and administering contracts.
The Office of Information Security and Privacy, also within the Office of
Mission Support, handles information security oversight and compliance with
RBT requirements.
Scope and Methodology
We performed this performance audit from February 2019 through August 2019
in accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. The evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit objectives.
We performed the following activities:
•	Selected a judgmental sample of 15 IT services contracts to determine
whether RBT requirements were included, as required by EPA
information security directives.
•	Obtained training certificates for a sample of contractors to determine
whether contractors completed RBT requirements by September 30, 2018.
•	Interviewed EPA ISOs and CORs to obtain an
understanding of the agency's processes for
tracking and reporting the status of RBT for agency
contractors with significant information security
responsibilities.
•	Obtained the FY 2018 certifications to determine whether all EPA offices
submitted the required information to the EPA's Chief ISO by
September 30, 2018.
•	Interviewed EPA management to determine whether corrective actions
have been implemented to maintain a list of contractors required to take
RBT and whether management validated that all contractors have
completed RBT requirements.
ISOs determine
whether contractor
training meets the
EPA's RBT
requirements.
20-P-0007
3

-------
Prior Audit Work
The EPA OIG issued Report No. 17-P-0344. EPA Lacks Processes to Validate
Whether Contractors Receive Specialized Role-Based Training for Network and
Data Protection, on July 31, 2017. This prior report noted that the EPA had not
implemented an oversight process to track and report contractor compliance with
RBT. See Appendix A for the status of the EPA's corrective actions in response
to this prior report's recommendations.
Results
The EPA continues to lack internal controls to monitor contractor compliance with
completing mandatory training requirements. Office of Management and Budget
Circular A-123, Management's Responsibility for Enterprise Risk Management and
Internal Control, states that management is "responsible for establishing and
maintaining internal controls to achieve specific internal control objectives related
to operations, reporting, and compliance." In this regard, management is
responsible for establishing internal controls to comply with federal requirements
that provide for contractors to complete RBT as part of their assigned duties.
Additionally, these internal controls should enforce compliance with EPA
directives that RBT requirements be included in IT services contracts and that
Senior Information Officials annually certify that this training has been completed.
EPA management stated that actions were taken to address Recommendation 3 in
our prior audit report. However, we found that:
•	Most EPA offices did not submit the FY 2018 certifications to the EPA's
Chief ISO.
•	RBT requirements were not included in existing IT services contracts.
•	Agency personnel did not maintain a list of contractors requiring RBT.
As a result, the EPA lacked the necessary controls and information to validate that
the RBT requirements are incorporated within the agency's reporting and
acquisition processes. Consequently, EPA management did not have adequate
assurance that its contractor staff is acquiring continuous training to strengthen
their skills and knowledge to protect the EPA's security infrastructure from
security breaches or cybersecurity incidents.
Immediate Action Needed to Validate Contractors Completed RBT
The EPA lacked necessary information to certify that contractor personnel
supporting the agency's information security posture completed the annually
required RBT. For FY 2018, only seven of 21 (33 percent) EPA offices submitted
a complete response certifying that contractor personnel completed the required
RBT, as shown in Figure 1.
20-P-0007
4

-------
Figure 1: FY 2018 certification submissions by EPA's offices and regions
•Office of Chemical Safety
and Pollution Protection
•Office of Inspector General
•Office of Research and
Development
•Regions 2, 4, 9 and 10
•Office of Air and Radiation
•Office of Enforcement and
Compliance Assurance
•Office of the Chief Financial
Officer
•Office of General Counsel
•Office of International and
Tribal Affairs
•Office of Land and
Emergency Management
•Office of Mission Support
•Office of Water
• Regions 1,3,5,6,7 and 8
This situation occurred because the EPA did not have internal controls in place to
validate that all program offices and regions submitted complete and accurate
training certifications of compliance with RBT requirements. Due to a lack of
internal controls, the EPA did not:
•	Verify written certifications submitted by program offices and regions for
accuracy and completeness, citing reliance upon the Senior Information
Officials and ISOs to validate certification information with CORs at their
respective offices.
•	Follow up with those EPA offices that did not submit written certifications
by September 30, 2018, citing the incorrect belief that the EPA's
August 15, 2018, memorandum required the certifications beginning
September 30, 2019, not September 30, 2018.
Without knowing that contractor personnel are maintaining professional
competencies needed to satisfactorily perform their information security duties,
there is limited assurance that EPA management can rely on the capabilities of its
contractor workforce to protect the confidentiality, integrity and availability of the
agency's networks, applications and data.
Partial (10%)
Yes
(33%)
(57%)
Source: OIG analysis.
20-P-0007
5

-------
EPA Contracts Need Updating to Require that Contractors Complete
Training to Protect the Agency's Network
EPA IT services contracts lacked the requirements for contractor personnel with
significant information security responsibilities to complete required RBT. Based
on our review of 15 IT services contracts with a cumulative obligated value of
$97,171,967, only four of the contracts (valued at $15,254,844, or 16 percent of
the cumulative obligated value) contained a requirement for contractor personnel
to complete RBT (Figure 2).
Figure 2: Analysis of 15 IT service contracts reviewed for RBT requirements
Obligated Value of $97.2 million
contained RBT
requirements
did not contain RBT
requirements
Source: OIG analysis.
In interviews, the CORs of the 15 IT services contracts that we sampled told us
that they:
•	Were not familiar with EPAAG 39.1.2.
•	Did not know/believe it was their responsibility to include the EPAAG
requirements in contracts.
•	Had not been trained on how to
incorporate the EPAAG 39.1.2
requirements within IT
contractual documents.
Additionally, we learned that the
EPA's current process to include
cybersecurity tasks—for example,
RBT—in the agency's contracts differs
from previous processes. For example,
the Interim Policy Notice 17-01, Use of
22 Cybersecurity Tasks, issued
December 2016, required cybersecurity
EPAAG 39.1.2, "Cybersecurity Tasks,"
dated April 2018, states:
•	The agency's cybersecurity technical
expert is responsible for including any
of the cybersecurity tasks as necessary
in its performance work statements and
statements of work.
•	CORs who do not work in OEI [Office of
Environmental Information] should
seek assistance from OEI when
choosing which, if any, of the subject
cybersecurity tasks must be added or
included in the COR's performance
work statements or statements of work.
20-P-0007
6

-------
tasks to be included in existing and new contracts (i.e., IT services contracts).
However, EPAAG 39.1,2's business process to implement the EPAAG's
cybersecurity requirements only includes the review of new contracts.
Without the RBT training requirements in the IT services contracts, the EPA has
limited assurance that contractor personnel are maintaining and acquiring the
technical skills and knowledge needed to help the EPA maintain a robust
information security posture to withstand cyber activities designed for destroying,
stealing or holding for ransom EPA information systems and sensitive
information.
EPA Needs A Current List of Contractor Personnel Required to
Complete RBT
EPA personnel did not consistently maintain a list of contractor personnel subject
to the RBT requirement. For eight of the 15 IT services contracts that we sampled,
EPA personnel did not maintain a roster of contractor personnel who need RBT.
EPA CIO 2150-P-02.2, Information Security - Awareness and Training
Procedures, requires ISOs to "identify all individuals requiring role-based
security-related training within their respective program offices or regions." This
requirement applies to all personnel with significant security responsibilities or
functions, including EPA employees, contractors and others working on behalf of
the EPA.
EPA personnel overseeing contractors required to meet RBT requirements did not
agree on where ownership for maintaining the list should reside, and the agency's
procedures do not specify any position responsible for maintaining the list of
individuals required to take RBT. For example, EPA personnel serving as CORs
for contracts with RBT requirements commented that:
•	Their role was to make sure that the contractors have system access, not to
maintain a list.
•	They relied on the contract Program Manager, Contracting Officer or
Project Officer to maintain the list.
However, even though EPA procedures require the ISOs to identify contractors
who need RBT, one ISO commented that the COR should maintain the list
because the COR determines which contractors have significant information
security roles based on their positions.
Without a list identifying which contractor personnel are required to complete
RBT, agency personnel cannot effectively perform their assigned duties to
provide EPA management assurance that its contractor workforce is highly skilled
and trained to protect the EPA's security infrastructure from security breaches or
cybersecurity incidents.
20-P-0007
7

-------
Conclusion
These findings were first reported in our Report No. 17-P-0344. issued July 31,
2017. In this report, we concluded that the EPA could not accurately identify the
number of agency contractors who are performing significant information security
duties and who are thus required to complete RBT. We are issuing this
management alert report on these weaknesses because immediate improvements
are needed to verify that contractors are trained in their roles to protect agency
systems and data.
Recommendations
We recommend that the Assistant Administrator for Mission Support:
1.	Develop and implement internal controls to validate that all EPA offices
submit the required annual role-based training certification confirming that
all contractors with significant information security responsibilities have
completed the required role-based training for their respective offices.
2.	Develop and implement internal controls to train EPA Contracting
Officer's Representatives on mandatory role-based training requirements
(i.e., EPA Acquisition Guide 39.1.2) that should be included in the EPA's
information technology services contracts.
3.	Implement a plan to analyze the EPA's information technology services
contractual agreements initiated prior to EPA Acquisition Guide 39.1.2 to
(a) determine how many of these agreements require modification to
include role-based training requirements and (b) include the training
requirements in the respective agreements.
4.	Issue a memorandum to the regions and program offices requiring
managers, supervisors and Contracting Officer's Representatives to
provide their respective Information Security Officer with a list of
contractor personnel required to complete role-based training so that the
Information Security Officer can track personnel's completion of the
required training.
Agency Response and OIG Evaluation
On June 3, 2019, we issued a discussion document to the EPA outlining our
findings and recommendations. On June 27, 2019, the agency provided informal
comments to the discussion document. We met with EPA officials on July 8,
2019, to further discuss their informal comments to the discussion document, as
summarized below.
20-P-0007
8

-------
We also met with EPA senior officials on September 18, 2019, to discuss the
status of the recommendations and informed them the OIG would not issue a draft
report but would instead move directly to issuing a final report, as the EPA used
the prior year's certification and reporting process for FY 2019.
The agency agreed with Recommendation 1. The EPA's Office of Mission
Support provided documentation that supports it completed corrective actions to
address Recommendation 1.
The agency agreed with Recommendation 2. We included additional language to
Recommendation 2 based on general comments provided by the EPA regarding
the finding on IT services contracts lacking cybersecurity requirements, and the
EPA agreed with the revisions. However, Recommendation 2 remains unresolved
because the EPA did not provide planned corrective actions with milestone dates.
Agency officials initially disagreed with Recommendation 3. However, following
discussions with the agency, the OIG revised Recommendation 3. The EPA
agreed with the revisions made to the recommendation but did not provide
planned corrective actions with milestone dates. Therefore, Recommendation 3 is
unresolved.
Agency officials initially disagreed with Recommendation 4. However, following
discussions with the OIG, the EPA's Office of Mission Support provided us with
a copy of recently issued guidance sent by the EPA's Chief ISO to EPA offices.
This guidance reaffirms that the offices are required to submit annually to their
respective ISO a list of contractor personnel requiring RBT. As such, the EPA
completed corrective actions to address Recommendation 4.
20-P-0007
9

-------
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec.
No.
No.
Subject
Status1
Action Official
Planned
Completion
Date
Potential
Monetary
Benefits
(in $000s)
Develop and implement internal controls to validate that all EPA
offices submit the required annual role-based training certification
confirming that all contractors with significant information security
responsibilities have completed the required role-based training
for their respective offices.
Develop and implement internal controls to train EPA Contracting
Officer's Representatives on mandatory role-based training
requirements (i.e., EPA Acquisition Guide 39.1.2) that should be
included in the EPA's information technology services contracts.
Implement a plan to analyze the EPA's information technology
services contractual agreements initiated prior to EPA Acquisition
Guide 39.1.2 to (a) determine how many of these agreements
require modification to include role-based training requirements
and (b) include the training requirements in the respective
agreements.
Issue a memorandum to the regions and program offices
requiring managers, supervisors and Contracting Officer's
Representatives to provide their respective Information Security
Officer with a list of contractor personnel required to complete
role-based training so that the Information Security Officer can
track personnel's completion of the required training.
Assistant Administrator for 9/19/19
Mission Support
Assistant Administrator for
Mission Support
Assistant Administrator for
Mission Support
Assistant Administrator for 7/3/19
Mission Support
C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
20-P-0007
10

-------
Appendix A
Status of Corrective Actions
on Prior OIG Report Recommendations
Below is the status of the EPA's corrective actions associated with the four recommendations in
the prior OIG Report No. 17-P-0344. issued July 31, 2017, as documented in the agency's
Management Audit Tracking System at the time of our audit:
•	Recommendation 1 required the EPA to update the EPAAG to include cybersecurity
tasks contained in Interim Policy Notice 17-01, Use of 22 Cybersecurity Tasks
(December 2016). The agency reported that it completed the corrective actions on
June 1, 2018.
•	Recommendation 2 required the EPA to develop and implement a strategy to include
the information security contract clause requiring contractors to complete RBT into
all existing and future IT contracts and task orders. The EPA reported that it
completed corrective actions on June 30, 2017.
•	Recommendation 3 required the EPA to implement a process to require agency
personnel to maintain a list of contractors who have significant information security
responsibilities and are required to take RBT. Agency personnel are to validate and
report to the Chief ISO that all contractors have completed required RBT. The EPA
reported it planned to complete corrective actions on December 31, 2018.
•	Recommendation 4 required the EPA to include the number of contractors who have
significant information security responsibilities and have completed the required RBT
in the CIO's Annual Federal Information Security Modernization Act reports
submitted to the Office of Management and Budget. The EPA reported it completed
the corrective actions on March 28, 2018.
20-P-0007
11

-------
Appendix B
Distribution
The Administrator
Assistant Deputy Administrator
Associate Deputy Administrator
Chief of Staff
Deputy Chief of Staff
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Assistant Administrator for Mission Support
Principal Deputy Assistant Administrator for Mission Support
Associate Deputy Assistant Administrator for Mission Support
Deputy Assistant Administrator for Administration and Resources Management,
Office of Mission Support
Deputy Assistant Administrator for Environmental Information and Chief Information Officer,
Office of Mission Support
Director, Office of Continuous Improvement, Office of Administrator
Director, Office of Acquisition Solutions, Office of Mission Support
Director and Chief Information Security Officer, Office of Information Security and Privacy,
Office of Mission Support
Director, Office of Resources and Business Operations, Office of Mission Support
Director, Office of Information Management, Office of Mission Support
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Mission Support
Audit Follow-Up Coordinator, Office of Acquisition Solutions, Office of Mission Support
20-P-0007
12

-------